this is an example that uses our container reusable workflow with security/management updates.
Changes:
OIDC/workload identity federation to authenticate to google cloud instead of service account keys, which is best practices and more secure.
uses GCP artifact registry in the devopsre project, which we're moving to because its easier to manage containers if they're all in one registry. Artifact registry has built in security scanner and other features, and is the replacement for gcr container registry.
Non main branch triggered workflows (eg, a PR) pushes to dev-images repo for testing with :testing tag and github sha of commit
Merge to main branch pushes to optics-monorepo registry, with :latest tag and github sha of merge commit
tags are configurable
Adds signing using sigstore (signs the image with githubs OIDC token, rather than a key) that can be verified
For Public repos, uses trivy scanning of images and uploads them to security tab in github
Considerations:
Will need to delete old gcp service account key (not sure which one it was using before, since thats a hidden github secret)
Migrate whatever uses the container to point to new artifact registry.
New artifact registry is public so no GCP permissions should be needed to be added.
this is an example that uses our container reusable workflow with security/management updates.
Changes: OIDC/workload identity federation to authenticate to google cloud instead of service account keys, which is best practices and more secure.
uses GCP artifact registry in the devopsre project, which we're moving to because its easier to manage containers if they're all in one registry. Artifact registry has built in security scanner and other features, and is the replacement for gcr container registry.
Non main branch triggered workflows (eg, a PR) pushes to dev-images repo for testing with :testing tag and github sha of commit
Merge to main branch pushes to optics-monorepo registry, with :latest tag and github sha of merge commit tags are configurable
Adds signing using sigstore (signs the image with githubs OIDC token, rather than a key) that can be verified
For Public repos, uses trivy scanning of images and uploads them to security tab in github
Considerations: Will need to delete old gcp service account key (not sure which one it was using before, since thats a hidden github secret) Migrate whatever uses the container to point to new artifact registry. New artifact registry is public so no GCP permissions should be needed to be added.